This post will serve to help step you through the process of rooting your Google Nexus device with the systemless root method. As any technique’s change due to software updates, I intend to keep this post updated with that latest information. First a bit of background to clarify the traditional root with what is now known as systemless root.
As google releases newer versions of Android, they are also attempting to increase the security of their handsets. They have enabled SELinux by default, added safetynet checks, and some boot up warning messages. The traditional root methods would install a superuser binary, “su”, onto the system partition of your phone, allowing apps to ask for root rights and escalate their privileges. Within the android community, we want the benefit’s that root access provides but we don’t necessarily want it at the cost of discarding all the security protections google is trying to include. In other words, we can attempt to be better citizens of the android rooting community by trying to have our root methods work within these security confines as much as possible. The first bit that happened along these lines was that instead of rooting the new marshmallow OS and disabling SELinux with custom kernels, the new root method patched the kernels and updated SELinux policies to include what is needed for root applications to run and request the escalation’s they typically need. The second bit was the ability to root without touching the system partition at all, keeping it completely stock which has the unintended side effect of also allowing Android Pay to work on a systemless rooted device.

What is root and why care about systemless?

I’d like to define what root really means. It’s quite simple really, root is obtaining elevated privileges on the device. It does not guarantee anything else but those escalated privileges. With other security methods being employed on devices, this does NOT mean you will be able to do everything with those escalated privileges. Depending on your device, selinux policies may still hamper what you want to do, the system partition may still not be writable or may have no free space from the stock image. Root doesn’t mean you can modify anything it just means you have the elevated root privileges on that device.

It’s important to have this understanding as we discuss systemless root. Some of the benefits of a systemless root is being able to have those escalated privileges while not tripping many of the other security flags set in place. You are able to keep a stock system image for the first time, in fact never even mounting it for rw access at all. This currently allows for safetynet checks to pass and as such Android Pay even still works on devices rooted in this manner. As the development of this method matures, receiving OTA updates may be easier as you’d just need to revert the modified boot.img (kernel) back to stock to apply the OTA update, then patch the new one to get root back.

Obtaining a pure systemless root

Getting systemless root and even manually installing any of the monthly security updates is pretty easy once you’ve done it. It takes me about 5 minutes to install a monthly update and re-root on my Nexus devices. It will only get easier if SuperSu adds reverting the modified boot.img. First let’s get some pre-requisites out of the way.

Pre-requisites:

Install the Android SDK. From the link, grab the SDK Tools only for your platform. Extract it to some folder in your OS, doesn’t really matter where, let’s just say you extracted it to the SDK folder. In windows you want to go into android-sdk-windows that was extracted and run the “SDK Manager.exe”. For mac/linux go into your extracted folder and look for a tools/ folder. In there you’ll see and android executable file. Run that.

Once you have the Android SDK Manager open, click Deselect All on the bottom and just select to install the “Android SDK Platform-tools”, which is in the Tools section, and the “Android Support Library” down in the Extras section. If you are on Windows also check the Google USB Driver in that section. Click to install. Once completed the only real tools we now care about live in a platform-tools folder that is in your extracted sdk directory. Everytime you go to update your device you should run the Android SDK Manager again and see if any of these 3 check boxes have updates available. If they do, update them as it’ll help avoid potential future issues.

Download the latest TWRP recovery for your device. Using a web browser navigate to http://twrp.me, click on the Devices link in the upper right and search for your device, ie “Nexus 6p” or “Nexus 5X”, etc. Once found, click on it, go down to the Download Links: section and click on the “Primary (Recommended)”. Download the latest version of twrp-x.x.x.x.img file you see there.

Download the Google Factory Image for your device. Just find your device in that list and download the latest version which will be the last link in the column for your device. You’ll want to extract this .tgz file but not the zip inside it.

Next we need SuperSu itself. Currently the version of SuperSu we want is available from Post #3 in this thread. Since it is a Work in Progress (WIP). You’ll want the latest version you see there which currently is “BETA-SuperSU-v2.66-20160103015024.zip”. Don’t extract this zip just download it.

Now we are prepped, outside of checking for newer versions of these pre-req’s once in a while you don’t have to do these steps for every update. Now lets root our Nexus device without modifying (or even mounting the /system partition).

Apply Systemless Root:

First you’ll want to reboot your device into the bootloader. So that I don’t have to baby step you here feel free to use google like ‘how to reboot <device name> into bootloader’ but basically power it off then hold vol down + power until you see the logo then release power. Done successfully, you should see a screen with the android logo on its back and a bunch of smaller sized text on the bottom.

Once in the bootloader, usb your device to your computer and using a command line go into your platform-tools folder from above. Run the command fastboot devicesSide Note:If you are in windows you’d probably have to type fastboot as fastboot.exe and if you are in mac/linux you may have to use ./fastboot to reference the one in the folder you are in. I’ve added the platform-tools directory to my path so if you do that in any OS, you can just type it as “fastboot” and not even be in the platform-tools folder. Regardless, once you see your device show up in the output of fastboot devices you can then proceed to unlock your bootloader. For the Nexus 6p and Nexus 5x you would use fastboot flashing unlock and for older Nexus phones you can use fastboot oem unlock. Look at your device and select Yes with the volume and power keys and now your device should show that it is bootloader unlocked.

Now we can flash our previously downloaded factory image to either update to this version or do a full factory return to stock. If you look in the extracted factory image you’ll see a .zip, a radio.img, bootloader.img and scripts called “flash-all”. If you want to wipe your data and return to stock while flashing all these to their latest versions you can just run the flash-all script for your OS. If you look on your device in the bootloader screen it will display the version of your bootloader and radio (could be labeled Baseband). You can then see the version of the two .img files and determine if they have been updated. Since google is releasing monthly security updates, many times these are not updated. If they are newer than what is on your device you would flash them with:

To flash the rest of the device partitions you can typefastboot update image-blah.zip
This will NOT wipe your data, you can run this to update every partition with that factory image. If you want to factory reset your device with this version then you’d add a “-w” to that command to tell it to wipe as in: fastboot -w update image-blah.zip
After flashing the factory image, even if you intend to systemless root, let your device boot the first time and go through updating the apps. Once booted then power back off and go to the bootloader again.

[UPDATE 05/2016] – Google has released the OTA images for Nexus devices available here. So optionally, instead of running the fastboot update image-blah.zip command from above that is a few hundred megs and reflashes everything. You can instead just apply your OTA via adb sideload as detailed on their site. This should be a tad quicker and then you can continue on below just as before.

Now we have the latest factory image on our device and we need to systemless root it. In order to flash the SuperSu zip we need to use a special recovery. That is the TWRP software we downloaded. You can either flash this recovery with fastboot flash recovery twrp.img or you can just boot into it temporarily in order to get root applied. I prefer the latter since it is one less thing to revert if I want to take an OTA update in the future. To just boot into twrp recovery we issue: fastboot boot twrp.img. When twrp boots it will ask if you’d like to keep system read-only. You’ll want to say yes to that since we don’t want to even mount system for writing at all.
Next we use the adb tool that is also in the platform-tools folder. We want to push our SuperSu zip file we downloaded from pre-requisite step 5. If you have that zip in your platform tools folder the command would be adb push BETA-SuperSU-vX.x.x.zip /sdcard/Download/. Don’t forget about that period at the end. Now before we install SuperSu we want to ensure it doesn’t bind mount a /system/xbin as that will trip SafetyNet checks. So we use adb again but this time the command is adb shell "echo BINDSYSTEMXBIN=false>>/data/.supersu"
Now on your device you can click the Install button, navigate to the /sdcard/Download folder and flash the SuperSu zip file you see there.

That’s it! Reboot your device, if TWRP asks to install SuperSu be sure to say NO. This looks like a lot but once you go through it once, and have the pre-req’s all set, you can install the monthly updates in a matter of 5 minutes. The benefit is they post the updates to the google factory images before developer’s will even see the code in AOSP and before they ever push OTA updates. So by using this method you can get onto these updates right away without waiting for anything.

Apps with workarounds for Systemless root

Since we installed systemless root here and the idea is to keep the system partition completely pristine and stock I’d like to point out some of the more valuable root applications you can run while in this mode and a couple that typically need to modify system but you can have them function perfectly fine still. First, I have root apps like Titanium Backup, Greenify, CF Lumen, Nova Launcher that all have root access and don’t touch my system. One of the most important apps for me to use however is AdAway which needs to modify the /system/etc/hosts file in order to function properly. Many people also use busybox which installs to system so both of these apps we need to do a couple workarounds to keep them from not touching our /system partition.

AdAway

For AdAway it has been made fairly simple. You’ll want to go this XDA forum thread and download both the latest AdAway application and the zip mentioned for systemless hosts file. Boot your device into that twrp recovery again. Use adb to adb push these two files to /sdcard/Download. just as we did for the SuperSu zip. In the recovery flash the AdAway_systemless_hosts.zip and reboot your phone. Back in your OS install AdAway from your /sdcard/Download folder using any file explorer like FX File Explorer or even from F-Droid. Now run AdAway, leaving it at its default target hosts location of /system/etc/hosts.

How can AdAway write to /system/etc/hosts yet we still aren’t modifying our system partition? Well that systemless_hosts zip you flashed setup a special mount on the filesystem of your phone such that /su/etc/hosts (our systemless root is /su) was bind mounted to /system/etc/hosts. So even though AdAway thinks its writing to /system/etc/hosts it is really going to /su/etc/hosts which is mounted in our /data partition. This might be hard for some to follow but just know if you flash that zip you can use AdAway as normal and it will not be touching your system.

Busybox

Getting busybox to not modify system is a bit more tricky. Will update this post as I gather that information in detail.

How did it come to this. The messaging revolution. The patented keyboard. The innovative user interface. The security surrounding the entire solution.

I remember when the BlackBerry was the best messaging device around and when being the best messaging device in a smartphone world was good enough to do well in. What happened? Why is RIM losing now? The same reason many other companies fail, they stayed too stagnant for too long. Granted they released new devices, new OS versions, etcetera, but they never strayed far from where they started. To be fair they probably were afraid too. They had a good thing going, a good niche. Why rock the boat? Well cause if you don’t someone else will, and in this case their boat is being buffeted hard from waves by Apple and Google (see image). Where can they go from here? A steady decline into destruction like Palm? Can their incremental upcoming changes with the Playbook, revamped app store, QNX acquisition pull them back into the forefront? I have answers, only time will tell if I’m right.

To get right to the point, what RIM needs to do is create a BlackBerry app for Android and iOS. They need to take their gold standard messaging solution; email, contacts, calendar, notes, tasks, and package the enterprise grade functionality of it into one application that can run on android and iOS. Crazy? Nope, they sort of did it before, remember Blackberry Connect? It was an application that ran on other handsets, most notably the Nokia E61 and Treo 650. Here’s a refresher on Blackberry Connect. It really was a failure, the very few handsets the software worked on gave you a crippled Blackberry experience at best. But this new BlackBerry app could work this time, in fact it could reinvent blackberry. The app could carve up an encrypted section of storage for itself on the device. This partition would contain the whole world the app knows about in order to function as its own BlackBerry device. So if this application was enterprise activated on a corporate BES server and the administrator issued a remote wipe command it would simply securely delete the encryption key and kill the partition. Its world now gone, user’s personal data just as it were, untouched. With a good licensing model Blackberry could profit more getting this app on Android devices and the iPhone over the costs associated with making their own handsets. They can continue with their handsets but this will give them a vertical market that they can own and apply their years of expertise to while seeing if they can sustain/revamp their hardware and antiquated OS in todays world of a new android handheld every month.

Now I thought I came up with this idea by myself. Turns out there is a company, Good Technology doing this today with their own software. Now last I knew about Good around the 2003-2005 time frame they were a wannabe Blackberry competitor and a bad one at that. Their devices were horrible and software unpolished and lacking. Now after a couple changes and a reinvention of sorts they are filling a void where there is no one else. You have these millions of iPhones and Android devices out there, and this old school world of security conscious enterprises with Blackberries. Where do you get the great corporate security, manageability, accountability, messaging, etcetera but with the consumer grade iPhone’s and Android handsets? Please don’t mention ActiveSync lest I laugh myself into oblivion. That will have to be another topic. Now Good is providing just that. They have an application in the Apple App Store and on the Android Marketplace that does just what I’ve described above but with Good Messaging, not BlackBerry messaging. I’ve demoed their software for 2 weeks on a Nexus S, iPhone, and iPad and it does work and offer better security and better corporate management over ActiveSync. However I still felt like I was running their software in a Windows 95 emulator. Various things felt like they were unpolished, unfinished, or not carefully thought out for usability. If Blackberry entered this arena, once again they could own the field as they did when they more direct competed with Good back in early 2000’s. They would really just have to integrate the BlackBerry world into an application, integrating with the UI of the native OS as closely as possible and adding some nice features.

I remember how I felt about Blackberry they day I gave up my Motorola SkyTel 2-way pager and grabbed the 950 on the data packet based Mobitex network. It was the beginning of the best enterprise messaging the world has ever seen. Now with app store’s that eclipse theirs in quantity and quality, devices that eclipse theirs in features, performance, innovation and choice, they are being boiled down to just that core software base. If they don’t make a move soon, the value with that will diminish, the world will move on, new models will rise, ActiveSync might get more and more acceptable considering the trade-offs by more and more enterprises. Part of me thinks that only if they continue to lose market share, lose users, would they ever decide to take this model on as Good did. I hope they are smart enough to try to execute it before that time. If not, then I hope they continue losing so they have a shot of winning again.

Update [02.28.2011]: Here is another company that will start doing what I described above RIM should do. Except they are really dividing the entire device into an enterprise side and personal side, interesting take…. They are called Enterproid and might even try to emulate a BlackBerry messenger of sorts. Great write-up by CNET on it. The window of opportunity for RIM to make a move here is closing. If they continue to hold on to their old model it will simply crumble around them. I’ll see if I can try out Enterproid and give a write up on it.